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Computing the unit group and solving the principal ideal problem for a number field are two of the main 
tasks in computational algebraic number theory. This paper proposes efficient quantum algorithms for these 
two problems when the number field has constant degree. We improve these algorithms proposed by Hallgren 
by using a period function which is not one-to-one on its fundamental period. Furthermore, given access to 
a function which encodes the lattice, a new method to compute the basis of an unknown real-valued lattice 
is presented. 



PACS numbers: 03.67.Ac, 03.67.Lx. 

I. INTRODUCTION 

Quantum algorithms can be used to realize a sub- 
exponential or even exponential speed-up over known 
classical algorithms for some mathematical problems by 
using Shor's^ (Shor 1994) algorithm framework. By ex- 
tending the notion of period function, HallgreniS (Hall- 
gren 2002) showed how to approximate to the period of 
an irrational periodic function. Moreover, Hallgren ap- 
plied the proposed technique to compute the regulator of 
a real-quadratic field and solve the principal ideal prob- 
lem in polynomial time. Computing the regulator (Reg- 
ulator Problem) and solving the principal ideal prob- 
lem (PIP) are interesting not only from a pure math- 
ematical point of view. Buchmann^ (Buchmann 1990) 
and Williams proposed a Diffie-Hellman-like cryptosys- 
tem whose security is based on PIP. Thus, if we could 
solve the PIP, we will break the cryptosystem proposed 
by Buchmann. We should choose a better cryptosystem 
if we assume that a large-scale quantum computer can 
be build. 

One small problem which arose during these computa- 
tions was the choice of the right approximation of nat- 
ural logarithms. There was no known way to choose 
the approximation in advance for a given number field, 
so Schmidt^ (Schmidt 2005) pointed out that there re- 
mains a gap in Hallgren'aiS (Hallgren 2002) algorithm 
for the quadratic case. Moreover, Schmidt closed a gap 
left open by Hallgren and generalized Hallgren's work 
to T/ . This generalized frame- work was then applied 
to compute the unit group of an algebraic number field. 
Schmidt's algorithm achieved an exponential speed-up 
over the best classical deterministic algorithm. The prob- 
lem was also independently solved by Hallgren^^'^^ (Hall- 
gren 2005, Hallgren 2007) himself. Hallgren computed 
the unit group, solved the principal ideal problem, and 
computed the class group, for constant degree number 
fields, in polynomial time. 

More recently, Schmidt^ (Schmidt 2009) showed that 
the regulator problem and the PIP in real-quadratic num- 
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ber fields can also be solved by using functions which are 
always periodic but are many-to-one on their fundamen- 
tal period. They showed that Shor's framework could 
compute the right period even in such a case with con- 
stant success probability. 

Inspired by Hallgren's original work, we show that 
the unit group and the principal ideal problem for con- 
stant degree number fields, can also be solved by using 
functions which are always periodic but are many-to-one 
on their fundamental period lattice. In this paper, we 
solve these problems for certain many-to-one functions 
whose period are irrational and present more efficient al- 
gorithms for these problems. The success probability for 
the unit group problem is (2'''''+ir^'')~"'^ from Schmid1>i 
(Schmidt 2005) and (23'^+3(r log A)'')-i from Hallgrenii 
(Hallgren 2005), respectively. However, the probability 
from this paper is at least (lOO • (3r)^'' • 5'') ^ , where r 
is a constant and log A ^ r. 

The rest of this paper is organized as follows. In section 
2, we give a short overview of the quantum computation 
and the algebraic number theory. In section 3, a quan- 
tum algorithm for computing the unit group of a given 
number field will be presented. In section 4, we propose 
an algorithm for the principal ideal problem. Conclusions 
are given in section 5. 



II. BACKGROUNDS 

A. Quantum Computing 

First we give a brief introduction to quantum com- 
putation. Many problems that have quantum algo- 
rithms with exponential speed-up over the best known 
classical algorithm use the quantum Fourier transform 
(QFT) as a subroutine. These problems can be re- 
duced to the problem of finding a basis of a period lat- 
tice A. We denote by • the dot product of two vectors 
and by the lattice A* which is dual to A, i.e., A* — 
{v S span(A) |Vu G A : v • u G Z}. Generally speaking, 
if a basis of the dual lattice A* is known, one can com- 
pute a basis of the original lattice A by classical computer 
efficiently. So, it is enough for the quantum algorithms to 
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find an approximation of a basis B for the dual lattice A* . 
Several known quantum algorithms which achieved ex- 
ponential speed-up are based on this framework, such as 
Shor's factorization and discrete logarithms algorithms, 
Hallgren's algorithms for pell's equation. 

The framework for such an algorithm proceeds as fol- 
lows: The quantum computer uses two registers: one to 
store the input of the function and the other to store the 
function value. Firstly, the quantum computer creates a 
superposition of all possible states in the first register, 
computes the function values and stores them in the sec- 
ond register. Secondly, we measure the second register. 
By the laws of quantum mechanics, the state of the quan- 
tum computer transforms into J2v<£L I" + !/(")) where 
u is a random vector and L is a subset of A. Thirdly, the 
QFT and a measurement are applied to the first register. 
Now, we get a vector from a basis of A* . 

So, for a lattice A with fixed dimension, we can get an 
approximation of the basis B of the lattice A* with fixed 
probability after running the subroutine above a constant 
number of times. The QFT has an interesting and use- 
ful property, known as shift invariance. i.e., the result- 
ing distribution is independent of which coset is started 
with. Thus, the QFT always creates a superposition of 
value which approximates the basis of A* independent of 
u. Furthermore, after running the QFT to the register, 
the elements in the superposition are almost uniformly 
distributed. More detail about quantum computing, see 
Nielsen's^ (Nielsen2000) book. 



B. Algebraic number theory 

In this section we give the necessary background on al- 
gebraic number theory. One can find almost all of the fol- 
lowing facts from Thiers'^ (Thiel 1995) work or Cohen's^ 
(Cohen 1993) standard book on computational algebraic 
number theory. 

A number field K can be defined as a subfield of the 
complex numbers C which is generated over the rational 
numbers Q by an algebraic number, i.e., K — Q{9) where 
9 where is a root of a nionic irreducible polynomial of 
degree n with rational coefficients, which is called the 
minimal polynomial of 0. The number n is called the 
degree of i^(over Q). The signature of K is the pair 
{s,t) S |Z| X |Z| , where s is the number of real zeros 
of the minimal polynomial of 9 and t is the number of 
pairs of nonreal zeros; clearly, we have s + 2t = n. The 
signature is independent of the choice of the generating 
polynomial and thus is an invariant of the number field. 

First we introduce some properties associated with 
number fields. In the following, we shall always assume 
that K = Q{9) is a number field of signature {s,t). If 
9i, ...,9n are the roots of the minimal polynomial of 9, 
then there are n ways to embed the number field in C. 
Let m = s + t. An element in K has n conjugates, and K 
has m absolute values, all of which correspond to the em- 
beddings. Given any number a G K, a = ^^^q ai9^ for 



some rational numbers G Q, let a^^^ denote the j-th 
conjugate of a, i.e., the image of a in the j-th embed- 
ding: a'-^^ = J2^=Q cLi(^]- The j-th absolute value |-|^ of a 
number a is a function of the absolute value in the j-th 

conjugate field: lal, = I j / ,1 i - where 

\a\j = Q ^ a = Q. 

An order O of a number field K \s a. subring of con- 
taining 1 that also is a module of K . Let O be an order 
of a number field K . A number ^ € O such that e O 
is called a unit O. The set of all units of O is a multi- 
plicative abelian group that is called the unit group of O 
and is denoted by O* . By Dirichlet unit theorem, if we 
set r = s + t — \, we see that there exist £i, ...Sr such 
that every e € O* can be written in a unique way as 
£ = Ce"\...e"' , where rii G Z and C is a root of unity 
in K. So the unit group in general will be isomorphic to 
Z*", together with a root of unity. Given a number field 
of constant degree, the root of unity can be computed ef- 
ficiently by a classical computer. So computing the unit 
group O* will mean computing a fundamental system of 
units El, ...Er that generate O* . 

Definition 1 A fractional O-ideal / is a non-zero free 
Z-submodule of K such that there exists a non-zero inte- 
ger d with dl ideal of C An ideal is said to be a principal 
ideal if there exists x G K such that / = xO. 

Definition 2 Let / is a fractional ideal and a a non- 
zero element of /. We will say that a is a minimum of / 
if, for all /3 e /, we have Vi, \I3\ - < \a\^ ^ /3 = 0, and the 
set of all minima of O will be denote by TWo. We will 
say that the ideal / is reduced if is a minimum in /, 
where / n Q = 1{I)Z. 

For a given ideal, there are an exponential number of 
minima in general. A reduced ideal is important because 
it is possible to keep the representation size bounded by 
a polynomial. The set of all principal reduced ideals TZo 
is precisely the set of ideals where a runs through all 
minima of O. 

Definition 3 The logarithmic embedding of K* in 
R'^^* is the map Log which sends a to 

Log :a H> (log|a|;^ ,...,log|a|^_^J . 

Definition 4 (Unit group problem). Given a num- 
ber field K and the ring of integers O, find a system of 
fundamental units of K. 

Lemma 1^ (Cohen 1993) The image of the group of 
units O* under the logarithmic embedding is a lattice(of 
rank r)in the hyperplane X]i<i<s+t ctj = of M''+^. The 
kernel of the logarithmic embedding is exactly equal to 
the group of the roots of unity in K. 

Given the lattice A, one can get the group of unit O* 
by classical computer efficiently. So it is enough for us to 
find a basis of the lattice A. 
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III. COMPUTING THE UNIT GROUP 
A. The periodic function 

By assigning to each point v in Q*" the element of TZo 
which is closest to v mod A we obtain a periodic func- 
tion with period lattice A. Unlike Hallgren's work, we 
consider many-to-one periodic function, thus, stringent 
injectivity entirely discarded. 

First we give the definition of the periodic function 
on hides A for computing the unit group. For some 
iV e Z we define Jn as follows: 

/at : Z'- 7^o : V I^/n = , ^ , ^,. 

(T{V/N) 

Where I^/n — a{v/N) ^ ^'^^ reduced ideal such 
that a{'v/N) is the minimum of O that minimizes 
||^//Y — Log(T(v/A^)||2. Especially, if there are two or 
more <j(y / N) meet the condition, we choose the right 
one by lexicographic comparison. 

The difference between function defined by Hallgren's 
and this paper is that the injectivity in our function will 
be dropped entirely. By the results of Hallgrenii (Hall- 
gren 2005) and Schmidt^ (Schmidt 2005), and demon- 
strated in detail in algorithm 6.2.20'^ (Thiel 1995), one 
can compute the reduced ideal that near the given point 
in polynomial time for number fields with constant de- 
gree. 

Next we will show that Jn is periodic. 

Definition 5 Let M d'L^ ^ the centre of M is one point 
p e M such that for any p' € M, X^veM IIP ^ '^112 ^ 
X^veA/ Hp' ~ '^112' especially, if there are two or more p 
meet the condition, we choose the right by one by lexi- 
cographic. 

Lemma 2 Let = {w' e Z^|/Ar(w') = iO} and 
V e Z^ belong to the same fundamental parallelepiped of 
A^A, w is the centre of S^. We denote the absolute of the 
discriminant of O by Aq . Then, for any n e A^A, there 
exists ||/3(w, n)||^ ^ ilogAo such that the following is 
true, 

(1) Let V = V - w = (wi,U2, ...,tJr-), /3(w,n) = 
(^i,/32, ...;5r), for any 1 i r, if \v\^ > then 
w + v + n + p(w,n) ^ 5",^, where ||p(w,n))||^ ^ 1/2. 

(2) For n,n' G iVA, maxn,„. |l/3(w, n) - /3(w, n')||^ 

2. 

Proof: (1) By lemma 5.1.14 proved in [9], the number 
N of minima in a box of side length j log Aq satisfies 
1 ^ iV ^ 4"(log Ao)''. So the distance of two minimum 
is less than i log Ao , then, if \vi\ > \ log Aq , we have 
w-hv-Hn + p(w,n) i Sa, i.e. |l/3(w,n)||^ ^ ^logAo. 

(2) Let n = A^Loge for some unit e. If a is the 
minimum closest to then in most of case, ea is 

the one closest to ^'^"'"j^^"^ . Here [•] rounds to the clos- 
est integer and is applied to the vector component-wise. 
If and only if w -I- v is in the boundary of 5"^, we 
can't determine whether w -I- v n + p(w, n) e Sa 



holds. Then due to rounding, for different n, n' € A'A, 
max„,„, ||/3(w,n) -/3(w,n')||^ ^ 2. 

B. The algorithm 

In this section we present a method to compute a basis 
for a constant dimensional lattice hidden by a function, 
and to solve some instances of the hidden subgroup prob- 
lem over W . 

Given a function hiding a lattice A we will show how 
to compute a basis for the dual lattice A*. To compute 
a basis for A we need the lattice be well conditioned. A 
lattice is well conditioned if a matrix B whose columns 
form a basis for A is well conditioned, i.e., if ||Bj| • HB^-*^ || 
is bounded. 

We denote the discriminant of if by A. For the pur- 
poses of analyzing running times, it is customary to use 
A as input, and an algorithm is polynomial or exponen- 
tial if it is in 0((log A)'=) or 0(A^ ) for some c,c' € R, 
respectively, where the O-constants might depend expo- 
nentially on n. 

Next we propose an algorithm to find an e- 
approximation to a basis of A* . 

Let A^ > (log A)'' and q > det(ArA) be a power of 2. 
Now we present our algorithm. The complete analysis 
will be given later. 



Algorithm 1 



Input: Number field K and the ring of integers O 
Out: A set of vectors approximating a basis for A = 
LogO* 

1) (Create superposition) 

E - E k'i)...K)|0); 

wi—Q w^—O 

2) (Compute function ) 

9-1 9-1 

^ 75^ E •■• E ... |u;r) |/Ar(w)); where w = 

{wi,...Wr). 

3) (Measure the second register) 

E |w + v, +n + p(w,n))|/Ar(w)) 

With a random w, T = cardjw' e ZJ| /Ar(w') = 
/Ar(w)}, vol{l3{-w,n)) is the number of v; — 
{v,i, ...,Vtr) e Z^ such that \vij\ = \vij - Wj\ < 
I3j and /jv(w + Vj + n + p(w, n)) = fN{^); L = 
{ne A^A|w-f Vi-|-n + p(w,n) e Zj} 

Test whether /(w) lie in the set for which periodicity 
can be guaranteed, if not, restart; 

4) (Apply the QFT to the first register) 

^ voli/3(^,n)) 

. ^ exp ( — - (w -I- Vi 

+n +p(w,n))-c)|c>|/jv(w)) 

Where fc is a constant that will be determined later; 

5) Measure and return the first register c; 
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6) Repeat the procedure; compute a basis of (iVA)* 
from the spanning set of vectors; 

7) Compute a basis for A classicahy. 

Notes: We will explain the constant k appearing in 
step 4. In algorithm 1, just run the QFT over as 
usual does not appear to be enough to recover the dual 
lattice. To overcome this problem we use constant k to 
run the QFT, i.e. we 'zero-fill', to compute the larger do- 
main ZJj. , with the additional part of the domain taking 
zero values. This constraint also helps us to confine the 
errors caused by the factor p{w,n) in the function /jy. 
This type of operation has been studied by Hallgreniiii 
(Hallgren 2005, Hales 1999). 

Algorithm 1 is a typical algorithm for hidden subgroup 
problem. After apply the QFT and measure the first 
register, we can get an appropriate c. Thus, one vector 
from a basis of (iVA)* can be efficiently obtained. 

Next, we will present the complete analysis for success 
probability. 

We want to estimate the probability to measure c with 

< 2qfc- ^s&P the influence of disturbing 

p(w, n) small, we consider only "small" c and restart the 
algorithm if c is too big. For simplify analysis, without 
loss of generality, let I3{w, n) — (/3i, /32, ■■■f3r) and /3i = /3, 
(1 ^ i ^ r), i.e.. So- be a multidimensional sphere and (3 
is radius. 

Lemma 3 Let k = 3r, ^/^f^ = n* + S{c), 



%k- 



C = {c e 



^qk\ ll^lloo < 5-(;3 + l 

where ||<5(c)||^ ^ then the probability to get a vec- 
tor from a basis of (iVA)* is at least (lOO • {irf ■ 5'')"\ 
Proof. The QFT is shift invariant. 
So for probability estimation we can assume 
w = 0. The probability to obtain a c S C is 

i.oi(/3(w,n)) 

E E exp(^(w + v, + n + p(w,n)) -c 



7g/fc-^(c)e(iVA)*}, 



(kqYT 



nG-L 



2m 

exp 1 — (v. 



p(w,n)) 



(kqVT ^ ^ 

^ ^' neL i=l 

let 

s = (v, + n + p(w,n)) • %q 

= V, • %q + n • (n* + (5(c)) + /?(w, n) • %q 

= • + n • n* + n • 5(c) + p{^^^, n) • %q 



(1) 



Since ||n||^ < q, ||c|j 



< 



mc)\L ^ 2^ > we 



5- (0-1-1) ' II^V'-^lloo 2qk 

have s mod 1 = • T'fcg + n ' ^(c) + p(w, n) • 7fcg 



< r 



5-{l3+l)-kq 



+ r 



2qk 



+ r 



W-{l3+l)-kq 



5fe '' 2fc lOfc-(0+l) 

From the definition of (3{w, n), we know that 2fc(/3 + 
1) > 2k. So if fc = 3r, then s mod 1 < ^ + 
30-(/3+i) ^ W- follows that the angle between 



the vectors exp (v.; + n + /9(w, n)) • in Eq.(l) 
So the absolute value of the sum 



is larger than 



,^ s,. cos T^TT 
(3rq)' I 15 I 



Further- 



lOO-ST'-i;'- ' 

more, applying Proposition 8.7 in'* (Micciancio 2002), 



we have that card {neL} s; 
card{w'eZ^|/Ar(w') = /iv(w)} 



det(AfA) ' 



SO T 



card {n e L} 



Doi(0(w,n)) 

= E 

i=l 

Next we approximate the cardinality of C, We have 



cardC ^ card < c e Z 



^qk\ 



< 



5-(/3 + l)^ 



e (A^A)*} 



det(A^A) 



(3r-5(/3 + l))'- 
~ 1- Thus, the probability P to measure a 

'good' c is larger than (lOO • (Br)^*" • S'') ^ . So we can 
obtain a vector from a basis of (A^A)* from c . 

From lemma 2 in* (Schmidt 2005), we need only a 
polynomial repetition of algorithm I to get a basis for 
(A^A)*. 

Lemma 4* (Schmidt 2005) Let A be a lattice of a fixed 
rank r. Then for Bi e R, i?i > lO^Ar(A), there is an 
algorithm which does the following 0(poly log(det(A))). 
It samples at most random vectors A from A H 
{x e W\0 ^ Xi < Bi,i = 0, r} and outputs with prob- 
ability exponentially close to one a set of vectors from A 
which generate A. 

Theorem 1 Algorithm 1 computes the unit group O* 
of a constant degree number field K in quantum polyno- 
mial time. 

Proof. The probability only depends on the degree of 
the number fields by lemma 3. So, keep the degree fixed, 
we need only a polynomial repetition of the above algo- 
rithm to get a generating set for (A^A)*, the polynomial 
time bound is clear from lemma 4. 



IV. THE PRINCIPAL IDEAL PROBLEM 

Definition 6 (Principal ideal problem) Given an 
ideal / of O, determine whether or not it is a principal 
ideal, and if it is, compute a G K such that / = aO. 

Given a reduced principal ideal / = aO ~ Ig, where 
6 = Loga, define the function 

: Z X Z*" — TZo by 5Ar(a,v) = lae-v/N- The ideal 
laO-v/N can be computed efficiently by multiplying 



and /_ 



v/N- 



Furthermore, the function g]\r has period 



lattice A. 

Where A = {(6,77) C Z x W\b0 - t]/N e A} and one of 
its basis is (1, N9), (0, vi), (0, v^). Here (I ^ i < r) 
are one basis of the lattice A^ A. Let e = (a, v) is a 
r + 1 dimensional vector, then we can denote (7jv(a,v) 
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by gwie). Similarly, we give an algorithm to solve the 
principal ideal problem. 



Algorithm 2 



Input: Number field K, the ring of integers O and a 
reduced ideal / 

Output: LogO! if / is a principal ideal, i.e. / = aO; 
else 'not principal' 

1) Create superstition and compute function 5(jv(e), 

where e = (ei, 62, ...e^+i) 

2) Measure the second register 

tio/(/3'(e,m)) _ 

^ -k J2 E |e + fi + m + w(e,m)) IgAr(e)), 

With a random e G Zg'*'^, = card{e' G 
Z^+^|£fjv(e') = S'jv(e)}, woZ(/3'(e, m)) is the number of 
such that = l/ij — ej\ < and fifjv(e + fi + m + 
a;(e, m)) = gwie); M = {m e A|e + fj + m + w(e, m) e 

Test whether giv(e) lie in the set for which periodicity 
can be guaranteed, if not, restart; 

3) Apply the QFT to the first register 

(e + fj + m + a;(e, m)) • c) |c) \gN{e)) 

4) Measure the first register, return c; 

5) Repeat the procedure, compute a basis of Apick any 
two of them, c = (c, fi), d = (d, £2) such that gcd(c, d) = 

1; 

6) Euclidean algorithm compute the linear combina- 
tion make the first coordinate equal l,then we have 
(l,u) G A, therefore u = NLogea for some e, where 

/ = eaO: 

7) Reduce u modulo the basis of A^A, give an optional 
6', if 6' is an approximation of 6, return it, else return 
'not principal'; 



Theorem 2 Algorithm 2 works correctly as specified 

and succeeds with constant probability. The principal 
ideal problem for a constant number field can be solved 
in polynomial time by running Algorithm 2. 

Proof. Algorithm 2 compute a basis of A is obvious. 
There is not a unique generator, since el = I for any unit 
e e O* . Given any ideal a candidate generator a' can be 
computed by running the algorithm. Then we can com- 
pute a'O by classical computers efficiently. The result 
is / if and only if / is principal. Furthermore, from the 
prime number theorem, the probability to obtain two dif- 
ferent non-zero vectors with the first coordinate coprime 
is at least l/h\q. So we can obtain a correct result with 
pre-determined probability. 



V. CONCLUSIONS 

In this paper, we solve two problems in computational 

algebraic number theory. We have proposed algorithms 
to compute the period lattice of many-to-one periodic 
functions, and applied the technique to the computation 
of the unit group of a finite extension if of Q. Further- 
more, we extend the algorithm to solve the PIP. The algo- 
rithm prints a correct result with prc-dc!tcrmincd proba- 
bility. Its success probability can be arbitrarily increased 
by repeating the algorithm. Thus the algorithm can be 
applied to attack crypto-systems that rely on the diffi- 
culty of the principal ideal problem yielding a better idea 
about which parameter sizes for these crypto-systems re- 
main secure in the presence of quantum computers. This 
is due to the facts that the function value is a reduced 
ideal and not a pair of an ideal and a distance. 

Here we will discuss a few more open problems. The 
main problem is that we haven't attempted to minimize 
the influence of the degree of number field on the run-time 
which is unavoidably exponential now. It is still an open 
problem whether or not there exist quantum algorithms 
that solve these problems for arbitrary degree number 
field. The other problems will be computing the class 
group for a given number field by many-to-one function. 
Furthermore, finding another practical problem which re- 
alize a exponential speed-up by the proposed technique 
is more challengingly. 
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